The present invention relates generally to a public key certificate issuing system, a public key certificate issuing method, an information processing apparatus, an information recording medium, and a program storage medium which are associated with the issuance of a public key certificate for certifying the validity of a public key for use in encrypted data transmission in an electronic distribution system. Further, the present invention relates to a public key certificate issuing system, a public key certificate issuing method, an information processing apparatus, an information recording medium, and a program storage medium which are enhanced in the user-friendliness at the entities which use public key certificates issued by a certificate authority (CA) corresponding to a plurality of signature algorithms.
These days, various kinds of software data including game programs, audio data, image data, and document creating programs are distributed via communication networks including the Internet (these electrically distributed data are referred to as “content”) . At the same time, network-based businesses such as online shopping are steadily gaining force.
In the network-based data communication such as mentioned above, the data sending side and the data receiving side authenticate with each other that each side is the authorized party of the communication of the other side before performing information transfer via the network. Namely, it is a general practice for each party of communication to have a data transfer configuration with data security taken into consideration. One of the techniques for implementing the security configuration in data transfer is transfer data encryption processing and data signature processing.
Encrypted data can be returned to decrypted data (or plain text), which is a readable message, by decryption processing based on a predetermined procedure. Data encryption and decryption methods for using an encryption key for encryption processing and a decryption key for decryption processing are well known.
There are various forms of the data encryption and decryption methods based on encryption and decryption keys. One of them is a so-called public key cryptosystem. In the public key cryptosystem, a message sender and a message recipient have different keys, one being a public key available to unspecified users while the other being a private key. For example, the data encryption key is used as the public key and the data decryption key as the private key; alternatively, an authentication code generating key is used as the private key while an authentication code decryption key as the public key.
Unlike a so-called common key cryptosystem in which a common key is used for both encryption and decryption, the public key cryptosystem is advantageous in the management of keys because only one particular person may have the private key, which must be kept secret. However, the public key cryptosystem is slower than the common key cryptosystem in data processing speed and therefore often used for such applications requiring only small amounts of data as the delivery of a private key and the execution of digital signature. A typical public key cryptosystem is RSA (Rivest-Sharmir-Adleman). RSA uses a product of very large two prime numbers (for example, 150 digits) to make it difficult to perform factorization (and discrete logarithm) on the product.
Another typical public key cryptosystem is elliptic curve cryptography (ECC), in which computations can be defined between points on an elliptic curve to create a similarity of discrete logarithmic problem (namely, elliptic curve discrete logarithmic problem).
While RSA cryptosystem based on factorization into prime factors (and discrete logarithm) has sub-exponential decryption, elliptic curve logarithm is considered to have only exponential decryption. While the key size of RSA cryptosystem based on discrete logarithmic problem is 512, 1024, or 2048 bits, the key size of ECC is 160, 192, or 224 bits, which provides generally the same level of security as that of RSA with a shorter key size, resulting in enhanced processing speed.
The public key cryptosystem is configured to allow unspecified users to use a public key and often uses a method of using a certificate for verifying whether a distributed public key is valid or not, the certificate being called a public key certificate. For example, user A generates a pair of public key and private key and sends the generated public key to a certificate authority to obtain a public key certificate therefrom. User A makes public this public key certificate. Unspecified users obtain the public key from the public key certificate through a predetermined procedure and encrypt a document by the obtained public key, sending the encrypted document to user A. User A decrypts the received encrypted document by the private key. Also, user A attaches a signature to a document for example by use of the private key and unspecified users obtain the public key from the public key certificate through a predetermined procedure to verify the signature.
The following describes a public key certificate with reference to FIG 1. A public key certificate is issued by a certificate authority (CA) or an issuer authority (IA) in the public key cryptosystem. The public key certificate is prepared by a user submitting his ID and public key to a certificate authority and this certificate authority then attaching its ID, validity and signature to the information submitted by the user.
The public key cryptosystem shown in FIG. 1 includes certificate's version number, certificate's serial number allocated by a certificate authority to a certificate's user, the algorithm and parameter of the above-mentioned RSA or ECC used for digital signature, the name of the certificate authority, certificate's validity, the name (user ID) of user of the certificate authority, and the public key and digital signature of this user.
The digital signature is generated over all of certificate's version number, certificate's serial number allocated by a certificate authority to a certificate's user, the algorithm and parameter of the above-mentioned RSA or ECC used for digital signature, the name of the certificate authority, certificate's validity, the name of user of the certificate authority, and the public key of the user. For example, the digital signature consists of data generated by generating a hash value on the basis of a hash function and applying the private key of the certificate authority to the generated hash value.
The certificate authority issues the public key certificate as shown in FIG. 1, updates an invalidated public key certificate, and creates, manages, and distributes a list of users who made unauthorized access in order to exclude these users (this is called revocation). Also, the certificate authority generates a public key and a private key as required.
On the other hand, when using this public key certificate, the user uses the public key of the certificate authority held by him, verifies the digital signature of this public key certificate, and, if the verification is successful, takes the public key from the public key certificate to use the public key. Therefore, the users of the public key certificate must all hold the public key of a common certificate authority.
In a data transmission system based on the public key cryptosystem which uses the public key certificate issued by a certificate authority as described above, the digital signature of the public key certificate is verified and, if the verification is successful, the public key is taken out of the public key certificate. By use of this public key, the user can execute the certification processing based on public key cryptosystem or the transfer data encryption or decryption processing based on public key cryptosystem. However, the entities such as user devices that execute various processing operations based on public key cryptosystem are rarely compatible with all of various cryptosystem algorithms such as ECC and RSA described above; in many cases, these entities can only execute processes which are compatible with either ECC algorithm or RSA algorithm.
The devices which can execute only a single cryptosystem algorithm or particular cryptosystem algorithms can use only the public key certificates which have a signature algorithm or algorithms based on that cryptosystem algorithm or the particular cryptosystem algorithms. Therefore, if these devices receive a public key certificate signed with a different algorithm, they cannot verify the signature, being incapable of executing public key certificate verification.
Conventionally, as shown in FIG. 2 for example, an ECC device 23 which can process ECC algorithm sends a public key certificate issuing request or an update request to an ECC registration authority (ECC-RA) 22 which executes signature processing based on ECC algorithm. The ECC registration authority 22 certifies the entities and devices participating in each service, receives a public key certificate issuing request from each device, and sends the received request to the ECC certificate authority (ECC-CA) 21 which executes signature processing based on ECC algorithm. In response, the ECC certificate authority (ECC-CA) 21 issues a public key certificate on which the signature processing based on ECC algorithm has been executed and distributes this public key certificate to the ECC device 23 via the ECC registration authority 22.
On the other hand, a RSA device 33 capable of processing RSA algorithm sends a public key certificate issuing request or an update request to a RSA registration authority (RSA-RA) 32 which executes the signature processing based on RSA algorithm. The RSA registration authority 32 certifies the entities and devices participating in each service, receives a public key certificate issuing request from each device, and sends the received request to a RSA certificate authority (RSA-CA) 31 which executes signature processing based on RSA algorithm. In response, the RSA certificate authority (RSA-CA) 31 issues a public key certificate on which the signature processing based on RSA algorithm has been executed and distributes this public key certificate to the RSA device 33 via the RSA registration authority 32.
Thus, processing blocks corresponding to two or more different signature algorithms are constructed and certification and encrypted data communication are executed based on the public key cryptosystems which are closed to the systems built in these processing blocks.
The ECC device 23 cannot verify the signature of a public key certificate signed with RSA algorithm received from the RSA device 33, so that the ECC device 23 cannot verify the validity of the received public key certificate, which therefore does not provide the function as a certificate. Conversely, the RSA device 33 cannot verify the signature of a public key certificate signed with ECC algorithm received from the ECC device 23, being incapable of verifying the validity of the received public key certificate.
In order for the ECC device 23 and the RSA device 33 shown in FIG. 2 to verify the validity of the public key certificate of each other, a configuration must be used where the ECC device 23 and the RSA device 33 send the public key certificates received from each other to the ECC registration authority 22 and the RSA registration authority 32 and then to the ECC certificate authority (ECC-CA) 21 and the RSA certificate authority (RSA-CA) 31 respectively. Inquiries are executed between the ECC certificate authority (ECC-CA) 21 and the RSA certificate authority (RSA-CA) 31, and the inquiry results are sent to the devices in place of certification.
The above-mentioned configuration is shown in FIG. 3. In order to execute cross-certification with the ECC device 23, the RSA device 33 sends the public key certificate of its own to the ECC device 23. This public key certificate is signed by the RSA certificate authority (RSA-CA) 31. Because the ECC device 23 cannot verify the certificate issued the RSA certificate authority (RSA-CA) 31, the ECC device 23 inquires the ECC certificate authority (ECC-CA) 21 for the validity of the certificate via the ECC registration authority (ECC-RA) 22.
The ECC certificate authority (ECC-CA) 21 inquires the RSA certificate authority (RSA-CA) 31 for the validity of the certificate. Further, the RSA certificate authority (RSA-CA) 31 confirms the validity of the certificate and returns the result to the ECC certificate authority (ECC-CA) 21. Next, the ECC certificate authority (ECC-CA) 21 returns the result to the ECC device 23 via the ECC registration authority (ECC-RA) 22. The ECC device 23 certifies the RSA device 33 by confirming the validity of the certificate.
As described, end entities (EEs) having public key certificates based on different signature algorithms cannot cross-certify each other, so that the related-art technology has a drawback of having to perform the above-mentioned processing in data communication.